Detections
Analytics

Symantec Encryption Management Server < 3.3.2 MP7 Multiple Vulnerabilities

high Nessus Plugin ID 81179

Language:

Synopsis

The remote host is affected by multiple vulnerabilities.

Description

The version of Symantec Encryption Management Server listening on the remote host is prior to version 3.3.2 MP7. It is, therefore, affected by multiple vulnerabilities :

 - A flaw exists in the handling of specially formatted PGP keys to the integrated key management server. This allows a remote attacker to inject email headers in order to manipulate fields within the key or confirmation email. (CVE-2014-7287)

 - A flaw exists in '/usr/bin/pgpbackup' when handling filename values. This allows an authenticated, local attacker to execute arbitrary commands with the use of a pipe character. (CVE-2014-7288)

Solution

Upgrade to version 3.3.2 MP7 or later.

See Also

http://www.nessus.org/u?066f39be

Plugin Details

Severity: High

ID: 81179

File Name: symantec_encryption_server_SYM15-002.nasl

Version: 1.9

Type: remote

Family: Misc.

Published: 2/5/2015

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2014-7288

Vulnerability Information

CPE: cpe:/a:symantec:encryption_management_server

Required KB Items: LDAP/symantec_encryption_server/detected

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/29/2015

Vulnerability Publication Date: 1/29/2015

Reference Information

CVE: CVE-2014-7287, CVE-2014-7288

BID: 72307, 72308